The human brain is programmed to keep us safe and secure. Yes, we are separated from the rest of the animal kingdom by our advanced capacities of sense-making and decision-making, but at the core of our grey matter remains some primitive but powerful tech tasked with keeping us alive. If your amygdala senses danger, it makes a split second decision and triggers the fight-or-flight response, flooding your body with hormones like adrenaline that prepare you for battle. This overrides the cortex – the sophisticated part of the brain we rely on for problem-solving and strategic thinking – making it hard to do anything but react to the moment.
This ancient response has evolved very little over the past 50 000 years. What has changed, however, is what triggers it. The dangers for which the fight or flight response was intended – wild animals and marauding tribes, for example – are no longer relevant. Instead we have financial stress, traffic, a difficult boss or relationship troubles. The amygdala does not distinguish between these threats and a pride of lions hunting you in the savanna – they are perceived as equally dangerous – which is why people can become physically stressed by thoughts in their head. This system is always online, and it is good at ensuring our physical security.
But what about our Internet of Things (IoT) security?
Because most people regard the ‘real world’ and the ‘digital world’ as distinct and separate realms, they do not have the same fear of a cyber-kinetic attack as a physical attack. It simply doesn’t trigger the same response in the brain, so we tend to ignore it. But there is no longer a distinction between the digital and the real.
We live on the brink of an era in which cyber-kinetic vulnerabilities of IoT technologies will become a bigger danger to our physical safety than the weather or traditional violent crimes. The threat is real, and our imminent transition into a 5G world raises the stakes even further.
Unlike physical security we have not been honed by millennia of evolution to deal with IoT risks. Yet, the challenges are complex and as extensive as the network is. They are also dynamic, constantly shifting as cybercriminals employ new strategies for overcoming always-evolving defenses.
As the IoT grows beyond consumer-centric devices and smart homes, the risks increase. Threats become physical and include hacked control systems in self-driving cars, attacks on smart grids and corruption of critical medical devices like pacemakers and insulin pumps.
In response, IoT security has to become contextual and adaptive; capable of changing to support rapidly morphing threat and business use cases; and has to cut across traditional silos of cybersecurity, health and safety, engineering and others. It’s a daunting task for any organization, so where do they begin?
An obvious first step is the adoption of an IoT security framework. This guides a company in properly securing its devices or network and serves as a tool or a checklist for what layers of the Internet of Things it needs to pay attention to. This is not a magic bullet, it is a collection of steps and best practices for securing the IoT.
The issue is this: While several industry leaders have developed IoT security frameworks and standards, none of these frameworks have earned broad adoption. There is also an inherent resistance to use of such frameworks as innovation-driven businesses repeatedly prioritize delivery to market over integration of IoT security practices.
As a result, governments need to be more involved in IoT security. At least until the industry more broadly accepts that IoT security, if done right, can become a competitive advantage and even speed up innovation.
Both consumers and organizations want (and need!) IoT security frameworks
According to a Gemalto survey, 96% of organizations and 90% of consumers want government-enforced IoT regulation. There are several reasons why.
For consumers, the motivation is clear: Nobody likes the idea of hackers accessing their smartphones or laptops, remotely activating their webcams, or using their devices to launch a distributed denial-of-service attack to shut down sites like Spotify and Twitter. However, the fact that consumers don’t take the IoT security of their less sexy devices (eg printers, cameras, DVRs) as seriously is an indication of how little the average person understands the extent of the risk, or how to evaluate the security of their devices.
Governments must take the lead on IoT security frameworks in order to help consumers gain a basic understanding of what a device needs in order to be secure. If even IT professionals face a steep learning curve, imagine the everyday consumer’s challenges assessing a device’s security.
The motivation for organizations is more complex. Many businesses are fundamentally opposed to government regulation of IoT, with critics arguing that it threatens to halt innovation. Yet, companies remain anxious. In a regulatory vacuum it is often unclear where accountability lies. Organizational leaders understandably wonder: What are my company’s responsibilities? What is our exposure? Where are our liabilities?
Without government stricture businesses continue to measure their IoT policy according to consumer demands. But will this be a strong enough motivator as we move into 5G connection? This technological evolution will require a new generation of devices – a perfect opportunity for manufacturers and developers to embed stronger security at creation. 5G networks will also need to bake in secure connectivity – such as end-to-end encryption – from the outset. But without customers demanding these features, will businesses implement them to the extent necessary for maximum security?
Organizations know IoT security is something they should think about, but to innovate quickly they’ve put IoT security on the backburner. They’re aware that their responsibilities will increase in the future, but without those responsibilities existing in law, when will they become a priority? History suggests that businesses will probably only commit the necessary resources once a huge IoT breach takes place and consumers insist on better standards. Currently such a breach spells disaster for digital systems, but in a 5G-connected world it could have a catastrophic impact in the physical world too, leading to injury and possibly death.
Without IoT security frameworks, consumers aren’t certain what they should demand from their IoT devices. If governments took the lead in developing a framework that led to some form of accreditation, consumers could look for a “seal of approval” that certified a device’s security. This would create the market-driven incentive companies might need to secure their devices at a respectable standard.
What should be done
Firstly, legislators need to adopt a unified approach to IoT regulation, amalgamating the disparate IoT security frameworks that currently focus on subsets of IoT security topics. Frameworks that could be brought together include:
- GSMA’s IoT Security Guidelines and Assessment
- Internet of Things Security Foundation’s IoT Security Compliance Framework
- Industrial Internet Consortium’s Industrial Internet Security Framework
Secondly, such a unified framework needs to be operational as well as conceptual. Frameworks are presently strong on guidance about how to think about securing IoT, but weak on specific steps that need to be taken. For instance, the Strategic Principles for Securing the Internet of Things document released by the Department of Homeland Security in 2016 is only 17 pages long. For a framework to become a basis for accreditation, it has to contain detailed requirements.
Finally, a primary IoT framework would need to be dynamic – responding and evolving with the industry and its learnings. This requires a structural process for continuous and rapid improvement of the framework in order to match industry developments.
The need for such an initiative has never been greater. Many see 5G as the bedrock of a Utopian digital future, but within its many tremendous opportunities lurk unknowable threats. As 5G gains a foothold worldwide, it will facilitate a high-speed, low latency Internet of Things, and foster new waves of edge-based computing. Though this is exciting, it also represents a sudden, exponential growth of the attack surface available to would be cybercriminals. With a regulator-mandated IoT security framework in place covering the many facets of IoT security, we’ll have something that private individuals and organizations can rely on to drive trustworthy connectivity and responsible innovation.
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.